httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Medina-Heigl Hernandez <ro...@rs-labs.com>
Subject Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on path value stored in mysql table
Date Mon, 02 Mar 2009 09:02:11 GMT
Hello,

I have a *partial*-working solution which I'd like to share with you. It's
tricky (based on my own home structure) and limited, though. Feedback is
appreciated, please!

Some comments:
- Debian 5.0 includes ajp 1.2.12, so I cannot get the url/dir from another
column in users' table (this functionality is for ajp 1.3+). In my case, I
can live without it, having the following convention: username will be a
domainname (which has sense, since I want to offer stats pages for
different domains). For instance, stats for domain "test.com" will use the
username "test.com".
- I've only experimented with per-dir rewrite (the non-recommended way...),
which has the limitation of request reinjection (so you must include
negative rewrite rules which protect you against loops). Perhaps it may be
improved with server rewrite.
- The current method is not secure: an attacker knowing the internal
homedir structure could easily craft a request bypassing the rewrite
ruleset, being able to access other domain/user's stats. It could also be
used to access other directories/files of other users (in my case those
dirs are protected using OS permissions).
- Performance is not very efficient, since I'm reinjecting requests (it
seems unavoidable if using per-dir rewrite).
- Stats home for domain "test.com" will be:
/clientes/test.com/stats/http/
which should be accessed through:
http://isp/stats/


Current config is:
====

        Alias /stats /clientes

        <Location /stats/>
                # Basic Auth
                AuthType Basic
                AuthName "Stats"
                AuthBasicProvider dbd

                Require valid-user
                AuthDBDUserPWQuery "SELECT pass FROM stats WHERE user = %s
and enabled = 1"

                # Rewrite para que cada user entre a su directorio de stats
particular
                RewriteEngine on
                RewriteBase /stats
                RewriteRule !^/clientes/[^/]+/stats/http/ - [C]
                RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [PT]

====

More comments:
- at the beginning I tried something like:
               RewriteBase /stats
               RewriteCond $1 !^%{REMOTE_USER}/
               RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [PT]

The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
RewriteCond, so I have no way for comparing it with $1 (which coudn't be in
2nd parameter, either). Any idea to implement it? (i.e. test if REMOTE_USER
string is included in URI path).

Cheers,
-Roman

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message